CyberWire Daily - What would it take to get you kids into a nice, late-model malware mealkit?
Episode Date: October 31, 2023Malicious packages are found attached to NuGet. Russia will establish its own substitute for VirusTotal. Commodity tools empower low-grade Russian cybercriminals. Malware mealkits, and other notes fro...m the cyber underground. Insights from a Cybersecurity workforce study. Mr Security Answer Person John Pescatore looks at MFA. Drew Rose from Living Security on the very scary human side of cyber attacks. And more details from President Biden’s Executive Order on artificial intelligence. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/208 Selected reading. IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations (ReversingLabs) Russia to launch its own version of VirusTotal due to US snooping fears (Record). Russian hacking tool floods social networks with bots, researchers say (Record) How Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate Cybercrime (Trend Micro) HP Wolf Security Threat Insights Report Q3 2023 (HP Wolf Security) How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce (ISC2) Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (The White House) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Malicious packages are found attached to NuGet.
Russia will establish its own substitute for VirusTotal.
Commodity tools empower low-grade Russian cyber criminals.
Malware meal kits and other notes from the cyber underground.
Insights from a cybersecurity workforce study.
Mr. Security Answer Person John Pescatori looks at MFA.
Drew Rose from Living Security on the very scary human side of cyber attacks,
and more details from President Biden's executive order on artificial intelligence.
I'm Dave Bittner with your CyberWire Intel briefing for a very spooky Tuesday, October 31st, 2023.
Researchers at Reversing Labs have discovered several hundred malicious packages published
to the NuGet package manager since the beginning of August.
The researchers note these packages employed an unusual code execution technique that's worth mentioning.
Most of the malware published to the NuGet repository places malicious code inside the initialization and post-installation PowerShell scripts.
initialization and post-installation PowerShell scripts. These packages use a different approach,
with the malicious functionality placed inside the packageid.targets file in the build directory.
Reversing Labs adds, based on our research, this is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware.
The NuGet security team has since removed the malicious packages. The record reports that Russia is in the process
of establishing a free security package for internet users called MultiScanner. The project
will be prototyped this year, further development in 2024, and released in finished form during 2025.
According to Deputy Minister of Digital Development, Communications and Mass Communication
Alexander Shoytov, it will perform all the functions of VirusTotal and then some. Replacement
of VirusTotal, however, is a principal goal of the program. Russian authorities regard VirusTotal as a security risk.
The record explains,
Similarly to VirusTotal, the service would ultimately not only remotely check files and links using static analysis,
but also conduct behavioral analysis on the suspected malware in virtual controlled sandbox environments.
Multiscanner serves at least two purposes.
First, it affords a degree of independence from Western tools
that might be yanked under sanctions.
And second, Moscow is convinced NSA and other dark forces
are doing all sorts of stuff with the code in VirusTotal,
and so it's better to steer clear of it altogether.
If anyone's going to be abusing a security tool, gosh darn it, it's going to be patriots in the
aquarium and not those big-haired Baltimore Huns over at Fort Meade. Kapiatschka is a commodity
tool that enables criminals to create large numbers of fake social media accounts. It enables its users to bypass
requirements that accounts be associated with unique email addresses and phone numbers.
Active since 2019, Kapiatschka, the record reports, has enabled creation of fraudulent
accounts in Facebook, X, Discord, Telegram, and Roblox. The name itself, Kipachka, means little penny.
It's the diminutive, affectionate, familiar form of Kopec, the smallest Russian coin.
No languages are as rich in diminutives as the Slavic languages,
and these terms of endearment turn up in surprising places.
Trend Micro, whose researchers have investigated the criminal service,
says,
Kapiatshka does not provide access to email inboxes,
but it provides access to emails received from social media platforms.
The service has been designed so that the mailbox account
is still controlled by Kapiatshka and not by any third-party user.
The study adds,
We suspect that these email addresses are either created by Kapiatshka actors themselves
or possibly compromised email inboxes,
as we've previously seen these actors post messages in underground communities
compromised email threads.
Kapiatshka also purchases email accounts.
The service is actively hawked in criminal-to-criminal online markets,
and it's supported with user-friendly training and customer service. It's also cheap, with bogus
or ripped-off email addresses available for pennies, not dollars. Given Russophone criminal
gangs' closeness to Russian intelligence and security services, Kapiatshka can be expected to turn up in state-sponsored attacks.
Other commodity criminal tools, these not necessarily Russian,
offer turnkey malware to the unskilled bad actor
or to more business-like operators interested in saving through outsourcing.
HP's Wolf Security Threat Insights report for the third quarter of 2023 looks at
trends in cyber criminal marketplaces finding that crooks are peddling pre-packaged malware meal kits
that allow unskilled criminals to carry out sophisticated attacks alex holland senior
malware analyst in the hp wolf security Research Team explained. Instead of creating their own tools,
low-level cyber criminals can access kits
that use living-off-the-land tactics.
These stealthy in-memory attacks are often harder to detect
due to security tool exclusions for admin use like automation.
The report makes particular note of two campaigns.
One, a VJ Worm campaign that executes multi-stage attacks,
employs a 10-year-old Houdini worm and living-off-the-land tactics to remain hidden.
The other is a parallax remote-access Trojan campaign that runs two threads when a user
opens the bait. One thread opens a file, the other runs the malware. Wolf Security calls this a Jekyll and Hyde attack.
The connection between the threads may not be obvious,
and the victims may not recognize that they're under attack at all.
The report also found that criminals frequently scam each other,
offering fake, malicious versions of popular commodity malware strains.
For a sense for what the malware costs in the
C2C market, note that a Parallax meal kit can be rented for just $65 a month. It's not a single
score big payoff trade. The proprietor's secret would seem to be the proverbial volume, just like
Crazy Eddie. ISC Squared has published its Cyber Workforce Study of 2023,
finding that the global cybersecurity workforce has reached 5.5 million people,
an 8.7% increase from 2022, representing 440,000 new jobs. Despite this increase,
the cybersecurity workforce gap has reached a record high, with 4 million
professionals needed to adequately safeguard digital assets. 92% of respondents said their
organizations have cybersecurity skills gaps, particularly in cloud computing security,
artificial intelligence and machine learning, and zero-trust implementation. So the gaps continue, even as demand for workers remains high.
And finally, the White House has made the full text of President Biden's executive order on the
safe, secure, and trustworthy development and use of artificial intelligence available. It's a long
document, rich in taskings and deadlines deadlines that the previously released fact sheet gives summary treatment.
All connoisseurs of agency deadlines can get a full helping in the briefing room at whitehouse.gov.
Coming up after the break, Mr. Security Answer Person John Pescatori looks at MFA.
Drew Rose from Living Security on the very scary human side of cyber attacks.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Security Answer Person.
Mr. Security Answer Person.
Hi, I'm John Pescatori, Mr. Security Answer Person.
Today's question, if multi-factor authentication is going to be such a dramatic raising of the bar in cybersecurity, why am I reading about so many attacks succeeding today, even though MFA was in use?
You know, when I was a kid, we had a fence around our backyard that kept our Cocker Spaniel in just fine.
Then my dad brought home what today we would call a rescue dog,
a German Shepherd that was not used to being treated kindly and who really, really wanted to escape.
That dog immediately dug under the fence, so he had to dig out a long trench under the fence and fill it with gravel to stop its digging.
But then the German shepherd just jumped over the fence.
So he made the fence higher and all was good.
Until I forgot to latch the gate and that dog got out and was never seen again.
Thanks for listening.
Oh, wait a minute.
You don't think I answered your question yet? Okay, how about this? Multi-factor authentication
is like that fence. Those attacks that succeeded against MFA took advantage of MFA not being done
right or the gate being left open to go around multi-factor authentication. Look, just about
anything is more secure than even the longest,
most random password. SMS text messages for MFA did greatly raise the bar against phishing,
but are still vulnerable to man-in-the-middle attacks as well as bypass attacks. Passkeys
implementing FIDO2 and WebAuthn standards are way more secure, but misconfigurations are still
possible.
Most of the recent successful attacks against MFA have not broken it.
They have gone after backup processes that have to be in place for when a user can't log in with the MFA solution.
These are generally called MFA bypass attacks
and can range from tricking a cell service carrier
into approving a SIM swap on a registered mobile
number to the attacker's device, using genitive AI tools to leave deepfake audio and or video
messages to full help desks into giving the attacker access. When you move to MFA, and it
should be when, not if, make sure penetration testing is done before rollout, and check those backup processes as well.
Update your security awareness training to cover attacks against the form of MFA you have in use.
Multi-factor authentication does have a lot of moving parts. It is not at all that hard to do
well, but definitely easy to do badly. None of these bypass attacks should be used as any kind
of excuse to delay moving to MFA.
Replacing reusable passwords with strong authentication has been shown to thwart 99.9% of phishing attacks.
However, if you could focus your existing resources on just that remaining 0.1%,
just think how much you could reduce your time to detect, time to respond, and time to restore metrics.
And maybe, just maybe, you could actually use existing resources to make gains in other areas,
such as encrypting stored data so that a breach caused much less or even zero financial impact,
or maybe improving your team's threat hunting skills to more quickly detect the next zero-day-based attack.
Strong authentication is not going to put skilled security people out of work, threat hunting skills to more quickly detect the next zero-day-based attack.
Strong authentication is not going to put skilled security people out of work,
and it may very well get us out of the constant need to ask for more resources.
For a while, anyway.
Mr. Security Answer Person Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person. Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on the Cyber Wire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com.
Drew Rose is co-founder of the human risk quantification firm Living Security
and also a former offensive cyber military analyst.
I caught up with him on this special Halloween day
to talk about some of the scariest attacks on humans.
I think there's a lot to be scared of.
I think, you know, Halloween being tomorrow doesn't increase my concern, but it's definitely fun to think about how Halloween could impact the different threats out there. end users. So I'm scared of people that think they are really great in technology
and they don't ever
make mistakes and they have
nothing to worry about.
I'm scared that they are going
to download a spooky sound
app on their phone
and they give it way too
many permissions than are necessary
and that application
somehow impedes the integrity of their organization,
the people that they work for.
That's definitely one of them.
Can we talk some about things like cyber hygiene,
folks who are a little too confident when it comes to managing their passwords?
Yes, absolutely.
People, mostly not just in cybersecurity,
but in all areas of life,
they try to take the easier way out.
They want to do something that is most efficient
when it comes to their thought process.
So when it comes to password hygiene,
it doesn't surprise me that people kind of hook on
to either using the same password over and over and over again
or maybe the same theme of passwords.
And now using the same theme of passwords is obviously
a little bit more secure than using the same exact password.
But let's say your password is a scary movie title,
The Hills Have Eyes or Child's Play.
One, two.
If a bad guy is able to pick up on that pattern,
they can start cycling through a brute force list of all scary movie titles
and maybe potentially able to force into other applications
that that person is using.
Which is why we recommend obviously using a password manager
where you can create one long, strong,
easy to remember password to access the manager.
But every other password held within
is so complicated and complex and 30 characters or more
that they're, I would say, impossible, but very close to impossible to crack
unless they gain access to that password manager.
What about the scary, frustrating thing that makes me scream sometimes,
which is when I'm trying to just get my work done
and suddenly I have to
deal with some sort of security issue. I have to go fetch my hardware key or some other roadblock
that gets in my way. Yeah, so when it comes to the friction that cybersecurity gets in the way
of your day-to-day job, you have to think about what the potential outcome could be
if that friction wasn't in place.
If you decided not to wear your seatbelt,
you clearly know that if you get in a car accident,
you could fly through your windshield
and there could be lots of injuries.
In the cybersecurity world, if you bypass these security protocols
that slow you down, think about what that could mean for your company
or for yourself.
You could lose hours and hours of potential productivity
trying to remediate your credit card
or your bank account being hacked
and your money being taken
or credit cards being taken out
using your social security number.
For your business,
you could let a ransomware group into your organization. Now, not only are you losing on productivity time, but you're also losing on
the potential payout, right? And what does that mean for that organization's reputation?
If you look at one of the more recent ones, MGM, you're into the hundreds of millions in total losses due to a simple social engineering attack where a better approach would have been to trust but verify.
Somebody calls you from the help desk, you know, you don't just outright believe them.
Call them back on a number that you know, a number that's in your directory.
directory. Take that time because yes, you may lose a couple minutes in doing that trust but verify exercise, but look what you potentially could be saving from an intrusion and incident
perspective. Right. The call is coming from inside the house, Drew.
You know, at Living Security, your firm, where you all focus on human risk quantification,
At Living Security, your firm, where you all focus on human risk quantification, I'm curious, what sort of misunderstandings do you find people have?
Are there things that they believe that are so that simply aren't? I think one of the greatest misunderstandings in our industry is that people are the weakest link and that they are useless when it comes to protecting their organizations
and exhibiting positive security hygiene.
I think the problem that we've had over the last 10 years
is we've tried to teach people en masse.
When I say en masse, I mean using the same type of distribution,
whether that's a video or some type of PowerPoint slides.
We try to teach them about very complicated and complex types of attacks.
And we talk to them in very strong generalities.
And we really don't try to bring home, what does that mean for you as a person and for
your role in a company?
And so at Living Security, what we believe in is being able to identify and isolate different
groups of users that are risky for specific areas. And then how do we intervene in a way able to identify and isolate different groups of users that are risky
for specific areas. And then how do we intervene in a way that makes sense to them? We want to
talk to an accountant like an accountant, not just like an employee of a 50,000-person company.
An accountant will know if their computer gets breached or taken over what that means for their
team and for the organization, while a customer support agent may not know the same impact
for that finance person.
And so really getting very specific and intentional
on who we are trying to train and for what reason
and focusing on behaviors instead of focusing on just the theory.
Like, what is ransomware? What is phishing?
It's like, how do you properly,
what do we expect when you get a potential phishing email?
What do we expect if you think your computer's running slow?
How do we really get our end users to feel empowered
to make a decision, which may just mean asking for help?
I think that's one of the biggest things
that organizations should be focusing on.
All right, well, Drew Rose is co-founder
of the human risk quantification firm Living Security.
He's also a former offensive cyber military analyst.
Drew, thanks so much for joining us.
Yes, thank you so much for having me on the show
and happy Halloween to everybody.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%...
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025. Visit td.com slash di offer to learn more.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at CyberWire at N2K
dot com. Your feedback helps us ensure we're delivering the information and insights that
help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K
and podcasts like the CyberWire are part of the daily intelligence routine of many of the most
influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many
of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce
Intelligence optimizes the value of your biggest investment, your people. We make you smarter about
your team while making your team smarter. Learn more at n2k.com. This
episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester
with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive
editor is Peter Kilby, and I'm Dave Fittner. Thanks for listening. We'll see you back here tomorrow. Thank you. secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.